Cisco IOS Syslog Messages

https://vimeo.com/204228743 Even if you have never heard of syslog before, you probably have seen it when you worked on a router or switch. Take a look at the following lines: R1# *Feb 14 09:38:48.132: %SYS-5-CONFIG_I: Configured from console by console R1# *Feb 14 09:40:09.325: %LINK-3-UPDOWN: Inte

Even if you have never heard of syslog before, you probably have seen it when you worked on a router or switch. Take a look at the following lines:

R1#
*Feb 14 09:40:09.325: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Feb 14 09:40:10.326: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

Whenever anything interesting is happening on the router or switch, Cisco IOS informs us in real-time. This is done by syslog.

By default, these syslog messages are only outputted to the console. This is because the logging console command is enabled by default. If you log in through telnet or SSH, you won’t see any syslog messages. You can enable this with the terminal monitor command.

Storing Syslog Messages

Local History

Logging to the console or telnet/SSH is useful if you are around but what if you are not or if you want to see some older messages? Fortunately for us, Cisco IOS keeps a history of syslog messages. We can see these with the show logging command:

Above we can see some syslog messages in our history, it will store up to 8192 bytes of syslog messages in its RAM. When you reboot your router or switch, the history will be gone. It is possible to increase the size of the logging buffer. For example:

R1(config)#logging buffered 16384

This reserves up to 16384 bytes of RAM for syslog messages. We can see it here:

R1#show logging | include Log Buffer
Log Buffer (16384 bytes):

Syslog Server

A local history is nice but it is stored in RAM. If you reboot the router or switch, it will be gone. What if the router crashed and you want to see if it logged anything before it went down? If you have dozens of routers and switches, logging into each device one-by-one to look for syslog messages is also not the best way to spend your time.

In production networks, we use a central server called a syslog server. Syslog is a protocol, a standard and you can configure your routers and switches to forward syslog messages to the syslog server like this:

R1(config)#logging 192.168.1.2

Here’s a screenshot of a syslog server:

Above you can see some syslog messages from 192.168.1.1 (my router). You can also use filters to search for certain syslog messages and more.

Syslog Message Format

R1#
*Feb 14 09:40:10.326: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

Above we can see that the line protocol of interface GigabitEthernet0/1 went up but there’s a bit more info than just that. Let me break down how Cisco IOS formats these log messages:

timestamp: Feb 14 0:40:10.326

facility: %LINEPROTO

severity level: 5

mnemonic: UPDOWN

description: Line protocol on Interface GigabitEthernet0/1, changed state to up

The timestamp is pretty much self explanatory, without it you would never know when an event has occured. It is possible to disable it and/or replace it with sequence numbers. Here’s a quick example:

R1(config)#no service timestamps

R1#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

Here’s how to enable sequence numbers:

R1(config)#service sequence-numbers

R1#
000045: %SYS-5-CONFIG_I: Configured from console by console
000046: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

The syslog is basically the process that generated the syslog message. If you look at some of the syslog messages above, you can see %LINEPROTO which keeps track of line protocols, %SYS for general system messages and %LINK for interfaces that went up or down.

The severity level is an important one, it tells us how important the message is. Not everything that happens on your router or switch is equally important. I’ll get back to this in a bit.

The mnemonic is a short code for the message. For example, “UPDOWN” for interfaces that go up or down. “CHANGED” for when the interface status changes and so on. These can be useful if you are glancing over some syslog messages, looking for particular message types.

Syslog Severity Levels

Let’s take a closer look at the severity levels. There are different severity levels for logging information. An interface that goes down is probably more important to know than a message that tells us we exited the global configuration. In total there are 8 severity levels:

the lower the number, the more important the syslog message is. Alert and emergency are used when something bad is going on, like when your router runs out of memory and a process crashes. The critical, error and warning messages are used for important events like interfaces that go down. Here’s an example:

If you are debugging something on the router, then you probably want to see your debug messages on your console but maybe you don’t want to send those same messages to your syslog server or to the router’s local syslog history. Cisco IOS allows you to define what syslog messages you want to see, save or send to the syslog server. For example:

Forum Replies

These two commands do two very different things. First of all, the logging monitor errors command, does enable error level logging as you mentioned. That is, it logs all level 3 messages and below (Errors, Critical, Alerts and Emergencies). This command places all syslog messages into the local logging buffer (or sends them to the syslog server, depending on the configuration).

Conversely, the terminal monitor and the terminal no monitor commands don’t turn logging on and off. These commands indicate wheather or not the logging messages will

Syslog is a standard that is used by many vendors for the purpose of message logging. Events that occur within a system (say a router or a switch) are categorised based on severity level as well as function and are stored in a buffer on the device itself or they are sent to a syslog server. These messages are used to for system management and security auditing as well as for general informational analysis and troubleshooting. Syslog messages are generated by the network devices themselves and are just read by the syslog server.

To remember that various Levels of logging, Todd Lammle book says the following sentence
"Every Awesome Cisco Employee Will Need Icecream Daily " . This makes it easy to remember the levels from 0 to 7 with first letters of each word.